[GHSA-qpm2-6cq5-7pq5] happy-dom's --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript

[Wenxin-Jiang]

Updates

• Affected products

Comments

Evidence

1. The upstream fix contains no code changes to the core happy-dom package.

   • Fix commit: f4bd4ebe
   • Only packages/@happy-dom/server-renderer/src/ServerRenderer.ts and its test were modified
   • The change is a single-line addition of --frozen-intrinsics to the Worker’s execArgv
   • The happy-dom@20.0.1 -> happy-dom@20.0.2 change in the core package is only a version bump (version.js and package.json)

2. The advisory’s own remediation text implicitly confirms that the core package has no fix.

   "Users can freeze the builtins in the global scope to defend against attacks... Migration to isolated-vm is suggested instead."

   Notably, there is no recommendation to “upgrade to 20.0.2,” because upgrading the core package does not resolve the issue.

Nuance

The root cause — VMGlobalPropertyScript.ts sharing globalThis builtins into the VM context — lives in core happy-dom. Rather than fixing it there, the upstream maintainer addressed the issue one layer up by adding Worker-level isolation in the server-renderer consumer. As a result:

• Users who upgrade @happy-dom/server-renderer to >= 20.0.2 actually receive the fix
• Users who upgrade happy-dom to >= 20.0.2 with enableJavaScriptEvaluation: true remain exploitable, including on “patched” 20.0.2, unless they independently run Node with --frozen-intrinsics or migrate to isolated-vm

Proposed correction

1. Add @happy-dom/server-renderer ≥ 19.0.0, < 20.0.2 as an affected package, with fix version 20.0.2.
2. Remove happy-dom from the affected-package list, since no fix version exists for the core package and flagging it misdirects consumers to an upgrade that provides no protection.

That is the package where the only real code-level fix exists, and keeping the advisory pinned to happy-dom misdirects consumers toward an upgrade that provides no protection.

[github]

Hi there @capricorn86! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory